Subscribe
When launching, the Trojan injects its code into svchost.exe, a system process.
It then registers on the remote malicious user's site by opening the following URL.
http://85.***.***.26/sesso/stat.phpThe header of the request to the server contains the version of Windows running on the victim machine.
The server responds to the request by sending commands which determine what the Trojan will then do. The commands are as follows:
- flood
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the following service: "Microsoft security update service"
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file: %System%\mssrv32.exe
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This malicious program is a Trojan. It is a Windows PE EXE file. It is 12788 bytes in size.
InstallationWhen installing, the Trojan copies its executable file to the Windows system directory:
%System%\mssrv32.exeIn order to ensure that it is launched each time the system is started, the Trojan creates a service called "Microsoft security update service".
Payload
Hot Articles